INFORMATION TECHNOLOGY AUDIT Information technology (IT) audits assess the controls, accuracy, and integrity of an institutions electronic

data processing and computer areas. National banks and their service providers are expected to conduct independent assessments of risk exposures and internal controls associated with the acquisition, implementation, and use of information technology. The banks internal auditor, external auditor, a service providers internal auditor, a third party or any combination of these can perform these assessments. IT audit often includes both targeted audits of IT functions and integrated reviews of IT functions as part of other operational audits. IT audits should address the risk exposures inherent in IT systems and applications throughout the institution and at its service providers. IT audits should cover, as applicable, such areas as: User and data center support and delivery, Local and wide area networks, Telecommunications, Information security, Electronic data interchange, Development and acquisition, Business continuity and contingency planning, Data integrity, Confidentiality and safeguarding of customer information, and Technology management. IT audits might also include a review of computer and client/server systems, end-user reports, electronic funds transfer, and service provider activities.
An information technology audit, or information systems audit, is an examination of the controls within an Information technology (IT) infrastructure. These reviews may be performed in conjunction with a financial statement audit,

internal audit, or other form of attestation engagement. Formerly called an Electronic data processing (EDP) audit, an IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives. IT audits are also known as automated data processing (ADP) audits and computer audits.

Purpose:
An IT audit is not entirely similar to a financial statement audit. An evaluation of internal controls may or may not take place in an IT audit. Reliance on internal controls is a unique characteristic of a financial audit. An evaluation of internal controls is necessary in a financial audit, in order to allow the auditor to place reliance on the internal controls, and therefore, substantially reduce the amount of testing necessary to form an opinion regarding the financial statements of the company. An IT audit, on the other hand, tends to focus on determining risks that are relevant to information assets, and in assessing controls in order to reduce or mitigate these risks. An IT audit may take the form of a "general control review" or an "application control review". Regarding the protection of information assets, one purpose of an IT audit is to review and evaluate an organization's information system's availability, confidentiality, and integrity by answering questions like:

Will the organization's computer systems be available for the business at all times when required? (Availability) Will the information in the systems be disclosed only to authorized users? (Confidentiality) Will the information provided by the system always be accurate, reliable, and timely? (Integrity).

There are 3 systematic approaches to carry out an IT audit: a. Technological innovation process audit : The aim is to construct a risk profile for existing and new projects by assessing the length and depth of company's experience in its chosen technologies, markets, project organization and industry structure b. Innovative comparison audit: Analysis of innovative abilities compared to competitors. It requires examination of company's track record in new products, research and development facilities, etc.

c. Technological position audit: This reviews the technologies needed by the business and places them in one of the four categories of base, key, pacing and emerging.